-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: buildah security and bug fix update Advisory ID: RHSA-2023:2253-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2253 Issue date: 2023-05-09 CVE Names: CVE-2022-30629 CVE-2022-41717 ==================================================================== 1. Summary: An update for buildah is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Security Fix(es): * golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) * golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add 2142494 - buildah installation includes runc as a dependency [RHEL 9.2] 2150429 - SIGSEGV: segmentation violation on s390x 2151247 - Buildah push image to redhat quay with sigstore was failed [RHEL9.2] 2152001 - buildah: ubi8 sticky bit removed from /tmp 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2166225 - Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted 2182315 - buildah-1.29.1 required in RHEL9.2.0 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: buildah-1.29.1-1.el9.src.rpm aarch64: buildah-1.29.1-1.el9.aarch64.rpm buildah-debuginfo-1.29.1-1.el9.aarch64.rpm buildah-debugsource-1.29.1-1.el9.aarch64.rpm buildah-tests-1.29.1-1.el9.aarch64.rpm buildah-tests-debuginfo-1.29.1-1.el9.aarch64.rpm ppc64le: buildah-1.29.1-1.el9.ppc64le.rpm buildah-debuginfo-1.29.1-1.el9.ppc64le.rpm buildah-debugsource-1.29.1-1.el9.ppc64le.rpm buildah-tests-1.29.1-1.el9.ppc64le.rpm buildah-tests-debuginfo-1.29.1-1.el9.ppc64le.rpm s390x: buildah-1.29.1-1.el9.s390x.rpm buildah-debuginfo-1.29.1-1.el9.s390x.rpm buildah-debugsource-1.29.1-1.el9.s390x.rpm buildah-tests-1.29.1-1.el9.s390x.rpm buildah-tests-debuginfo-1.29.1-1.el9.s390x.rpm x86_64: buildah-1.29.1-1.el9.x86_64.rpm buildah-debuginfo-1.29.1-1.el9.x86_64.rpm buildah-debugsource-1.29.1-1.el9.x86_64.rpm buildah-tests-1.29.1-1.el9.x86_64.rpm buildah-tests-debuginfo-1.29.1-1.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZFo1CtzjgjWX9erEAQjNvA//TK4Pfj4I68KrCa9CM3un+buJUbicaF7g gS8sGjTJDvtWhjqgwxxdS+GeBdke/rFuOEC52585hZR/bCWUNeDmu2hQz9HxTi8S 1M7U2KXuaMXtoz5VT2ZxRKO2CP3O6hjP/f5piqgM61P39vB1QkGVRowd9dN0L5/Y jZy1R8pYO2m0r5FVJhBhnM5Rw9noSrgJx/xj2eZjeVJf2zvJCLVT+MHLgtM/99uz 3YiPdjNwaQE94rlanCoLYt9pWh58VVFs3Lx+Gyyzlt1m9wtX8cZid4onYftuV4z8 culkVs3dMsY5xj4exPuLTJE71a4UKWIYxgIygnZ1oshWZKs/NF0/8q0i1subonnW i9CO6IQplHYqR0bUtHelSfJsdOrSkzD6wW3F29Y/Q/WbuxsOGsH3z88y23rydbXl qpLLJI5rmCtlz3TeJn9oYeFu6qPMQJBroxgKK33fUxMBs8flB1RoSl6UtZrh1yKO hyWjX8NfMWu16JtlI1Vndt0I506UlQNRtFs38QLKyTUv17AobaDhZjh41xZ+NJJv dJHsl3sFMj6c5GOMzd6N9J2DRLszZ4NxTqLCrQay/QmRHfYHRhPVocP3OhF01r82 JJgRELBcO7NtGqtik34TbyfGM3MOOu4mQCaCRxW9IXRFKGnd/M1kmDvHGGSYxyAz aPjVxPjltNU=KjXV -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce